Security researcher Zammis Clark - a.k.a. Slipstream, Raylee, Rye and Rai, warning of "three OEM fails at once," has published proof-of-concept code to exploit multiple vulnerabilities that he discovered in three different preinstalled OEM software applications found on machines sold by Dell, Lenovo and Toshiba. The vulnerable software is Dell System Detect software versions 6.12.0.1 and before, Lenovo Solution Center version 3.1.004 and before, and Toshiba Service Station versions 2.6.14 and before.

As a result of the flaws, hundreds of millions of PCs are at risk of being remotely exploited. In just the third quarter of this year, for example, market researcher IDC reports that Lenovo and Dell respectively shipped 13 million and 10 million PCs globally, while Toshiba shipped 900,000 PCs in the United States alone.

Clark confirms to Information Security Media Group that he discovered the flaws found in the three software applications, and says that the impetus for doing so was "part being bored, part in reaction to the issues I and others found in [Dell Foundation Service] and all the other OEM bloatware issues found over the past year, some of which I helped to research." He confirms that he did not alert the vendors before releasing his proof-of-concept exploit code. "Full disclosure was done partly because I, and many others, hate bloatware and partly to make sure the vendors fix the issues found as fast as possible."

Lenovo has confirmed that it is investigating the reported flaws in its software. Dell and Toshiba did not immediately respond to a request for comment on Clark's related vulnerability alerts.

Dell Patch Introduces New Flaw

The reported flaw in Dell's software apparently resulted from the company's emergency fix for its Dell Foundation Services, which it released in November after security researcher Hanno BÃ¶ck discovered that the software included a preinstalled root certificate and a private key that attackers could abuse to decrypt data or launch man-in-the-middle attacks (see Dell Releases Fix for Root Certificate Fail).

Dell quickly released a patch for the software, followed by Microsoft on Nov. 30 releasing a related, emergency security update for the Windows Certified Trust List in all supported versions of Windows, disabling the ability to use the offending eDellRoot and DSDTestProvider certificates. "Even if the certificates are installed, they cannot be used," Dell says in a related blog post. "CTL updates are automatically pushed to both consumer and commercial Windows PCs. Most systems with Internet access should pick up the update within the next 24 hours."

But Dell's patch "actually introduces a more serious issue," says Mustafa al-Bassam, a security engineer and former member of the hacking collective Lulzsec, via Twitter.

Indeed, Dell's patch included a fix for an API used by its software, to block attackers from retrieving details about the system. But despite the fix, the related Web service is still available, Clark says in a related blog post, noting that the application still responds to Windows Management Instrumentation queries, which will enable "access to information about hardware, installed software, running processes, installed services, accessible hard disks, filesystem metadata - filenames, file size, dates - and more."

Clark says the flaw can be exploited both via a local area network and remotely to bypass User Access Control in Windows, which is designed to block unauthorized changes to a PC - made for example by malware or rogue users - by restricting access to those features to administrators. Because the Dell application runs with administrator privileges, exploiting it then gives an attacker the ability to remotely execute any code, with administrator-level privileges, Clark says.

Lenovo Solution Center

Clark has also released proof-of-concept exploit code that targets three flaws in Lenovo Solution Center - relating incorrect permissions, directory traversal and a cross-site request forgery vulnerability - that could be exploited to take remote control of a PC.

"We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible," Lenovo says in a Dec. 3 security alert. Lenovo says the software in question is designed to "[help] users get the most out of their PC experience" by allowing them to quickly review "system health, network connections and overall system security."

The U.S. Computer Emergency Response Team has issued a related alert about the three flaws, warning that they could be exploited by a malicious HTML document either emailed to victims as an attachment, or via a malicious Web page. US-CERT says it is "currently unaware of a practice solution to this problem," short of uninstalling the software. Likewise, to mitigate the flaw, Lenovo currently recommends that users "uninstall the Lenovo Solution Center application using the add / remove programs function.

The discovery of vulnerabilities in preinstalled Lenovo software follows the company earlier this year promising to cut down on such software, in the wake of facing heavy criticism for having preinstalled the Superfish Visual Discovery adware on many of its consumer laptops beginning in September 2014 (see Lenovo Promises: No More Bloatware).

Toshiba Service Station

Clark's final vulnerability report centers on the Toshiba Service Station application, which the company says will "automatically search for Toshiba software updates or other alerts from Toshiba that are specific to your computer system and its programs" and transmit related system information to Toshiba. The OEM notes that "this feature is enabled by default."

In a Dec. 5 security advisory, however, Clark warns that Toshiba Service Station versions 2.6.14 and below can be exploited to read parts of the registry as system by local users of lower privilege" as well as to "bypass any read-deny permissions on the registry for lower-privileged users." Clark says the flaw stems from an incorrectly secured, XML-based API, and could be used to make changes directly to the system registry, thus facilitating remote exploitation of the affected system.

To mitigate this flaw - as with the Dell and Lenovo vulnerabilities - Clark recommends removing the Toshiba software from all affected devices.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.